| 2017-11-14 10:06:57 |
Bhagyashri Shewale |
description |
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
Glance community has long term plan to restrict Method A for normal user to create the image.
The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API.
If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create).
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/policy.json
"upload_image": "role:demo",
2. Create the image
$ glance image-create --name test --property test=tyest --file spec_and_blueprint_content.txt --
container-format bare --disk-format qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:02:41Z |
| disk_format | qcow2 |
| id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| test | tyest |
| updated_at | 2017-11-13T07:02:41Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-b219-
18a2743b82b6: You are not authorized to complete upload_image action. (HTTP 403)
Case 2: Now normal user wants to create the image using image-create-via-import api but it will not allow to import the image as the policy is set in the first case.
$ glance image-create-via-import --name test --file spec_and_blueprint_content.txt --container-format
bare --disk-format raw --property os_distro=xyz
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:23:25Z |
| disk_format | raw |
| id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| os_distro | xyz |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-11-13T07:23:25Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-b75c
2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP 403)
So to overcome this we will need to add the separate policy for import image in policy.json |
There are two methods to create images:-
Method A)
POST /v2/images
PUT /v2/images/{image_id}/file
Method B)
POST /v2/images
PUT /v2/images/{image_id}/stage
POST /v2/images/{image_id}/import
Glance community has long term plan to restrict Method A for normal user to create the image.
The traditional image upload API (PUT /v2/images/{image_id}/file) uses 'upload-image' policy which is same for Method B (POST /v2/images/{image_id}/import) image-create-via-import(new API for image create) API.
If glance community restricts traditional Method A (image upload) for normal user then it will also impact Method B (POST /v2/images/{image_id}/import) image-import call thus normal user won't be able to import image using image-create-via-import(new API for image create).
The 'upload-image' and 'import image' shares same policy.
Steps to reproduce:
Case 1: Restrict the normal user to upload-image
1. Modify the /etc/glance/policy.json
"upload_image": "role:demo",
2. Create the image
$ glance image-create --name test --property test=tyest --file
spec_and_blueprint_content.txt -- container-format bare --disk-format qcow2
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:02:41Z |
| disk_format | qcow2 |
| id | d719c5fb-4907-4b8d-b219-18a2743b82b6 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| test | tyest |
| updated_at | 2017-11-13T07:02:41Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image d719c5fb-4907-4b8d-
b219-18a2743b82b6: You are not authorized to complete upload_image action.
(HTTP 403)
Case 2: Now normal user wants to create the image using image-create-via-import api but it will not allow to import the image as the policy is set in the first case.
$ glance image-create-via-import --name test --file
spec_and_blueprint_content.txt --container-format bare --disk-format raw --
property os_distro=xyz
+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-11-13T07:23:25Z |
| disk_format | raw |
| id | 7e0bc1c4-7024-43cb-b75c-2a5629f8ded9 |
| min_disk | 0 |
| min_ram | 0 |
| name | test |
| os_distro | xyz |
| owner | d2b9f7372d2e481ca13a16bd526f9f14 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-11-13T07:23:25Z |
| virtual_size | None |
| visibility | shared |
+------------------+--------------------------------------+
403 Forbidden: Not allowed to upload image data for image 7e0bc1c4-7024-43cb-
b75c2a5629f8ded9: You are not authorized to complete upload_image action. (HTTP
403)
So to overcome this we will need to add the separate policy for import image in policy.json |
|
